Privacy Notice

Our two roles at a glance

When we are the data processor— meaning we act only on the documented instructions of one of our customers — the customer is the data controller for that processing. We are a data processor when our threat-protection service is deployed on a customer's website or service. The customer chooses to use our service, can stop using it at any time, and configures how it operates, including the data-retention period. See Section 2.

When we are the data controller — meaning we decide what personal data is collected and why — we are responsible to you directly. This is the case when you visit our website, sign up as a customer, contact us, act as a supplier contact, or apply for a job with us. See Sections 3 to 7.

1. Who We Are

2. Threat-Protection Service on Customer Websites

When you visit a website or service that is protected by our threat-protection service, your personal data is processed on the documented instructions of our customer (the operator of that website or service). The customer is the data controller for that processing; we are the data processor. The customer chooses to use our service, can stop using it at any time, and configures how it operates — including the data-retention period.

What we do for the customer

• We collect and process signals related to user's activity.
• We enrich those signals server-side with our own historical threat intelligence.
• We compute a real-time trust/risk score and decide whether to allow, challenge, or block the request, so that the customer's site is protected against malicious and automated activity — including bots, fake accounts, credential stuffing, scraping, scalping, denial-of-service, vulnerability probing, and similar threats.
• We store flagged or suspicious request data for the period the customer has configured, and provide the customer with security reports.
• We anonymise data for later threat-intelligence work; see Section 9.

Categories of personal data

Technical information sent by user's browser and device, network and connection characteristics and interaction telemetry.

Automated decisions about your request

Yes — we automatically evaluate the risk of each request and assign one of three outcomes: allow, challenge, or block. Blocking malicious or non-human traffic does not in itself produce legal or similarly significant effects on you. If you believe a decision affecting your request was wrong, you can ask the customer (the data controller) for human review.

Retention

The customer configures the retention period for raw signals, typically between 30 days and 18 months. After that period, data is irreversibly anonymised. Anonymised data may be retained for longer periods to improve detection (see Section 9).

Recipients

Internally: our security analysts, threat analysts, and engineering teams. Externally: our core infrastructure providers (hosting and content-delivery), which are our sub-processors. No other recipients receive your data in connection with this service.

International transfers and sub-processor assurance

Where technically and operationally possible, the service is hosted within the European Union or the European Economic Area. Where personal data is transferred outside the EEA, we rely on a European Commission adequacy decision where one applies (including, where relevant, the EU–U.S. Data Privacy Framework) or on European Commission–approved Standard Contractual Clauses. All sub-processors we use are validated for compliance with applicable data-protection law before they are onboarded, and their compliance is reviewed on an ongoing basis.

Your rights regarding this processing

Please address rights requests to the operator of the website you visited — they are the data controller, and their own privacy notice should identify them and explain how to contact them.

3. Visiting Our Website

Two kinds of processing take place when you visit www.trustsig.eu.

3.1 Our own threat-protection service

We protect our website using the same service described in Section 2. Here, however, we are the data controller, because the website is ours. We rely on our legitimate interests and legal obligation to ensure the security of processing. We keep flagged or suspicious request data for up to 18 months, after which it is irreversibly anonymised. The data categories, the enrichment, the automated allow/challenge/block decision, and your right to ask for human review are the same as in Section 2.

3.2 Tracking and cookies

We use two kinds of tracking on the website:

• Strictly necessary — to keep you signed in to the self-service portal and to operate the site. No consent is required.
• Analytics — to measure how visitors use the site. These are set only with your consent via the cookie banner. You can withdraw consent at any time in the banner; withdrawal does not affect processing carried out before withdrawal. The analytics partners retain the data from 28 days up to 26 months.

4. Becoming and Being Our Customer

If you sign up, contact our sales or support team, or submit a data-subject request, we process your contact details, billing information, the configuration choices you make, and the content of our correspondence with you (including any data-subject request you submit and our response). We rely on the service contract with your organisation (and any pre-contractual steps), on legal obligations covering accounting and tax, and on our legitimate interests in supporting you and improving the service.

How long we keep this data

• Account info, billing, invoicing, and accounting source documents: 7 years after the relationship ends (statutory under Estonian accounting and tax law).
• Support correspondence: 3 years after the case is closed.
• Live-chat history: 6 months.
• Data-subject request records: 3 years.

5. Supplier and Vendor Contacts

If you are a contact person at one of our suppliers or vendors, we process your name, business email and phone, and job title. Where the supplier is a sole trader, we additionally process your national ID code and bank details for payment. We rely on the supplier contract (where the contact person is a sole trader) or on our legitimate interests in managing supplier relationships (otherwise).

We keep this data for the duration of the active contract, then 7 years for accounting-related items (statutory) and 3 years for general correspondence (claims defence). Internally, the data is used by our procurement, finance, and operations teams. Externally, sole-trader and accounting-related data is shared with our accounting and bookkeeping service.

6. Recruitment

If you apply for a position with us, we process the personal data you provide in your application — typically your name, contact details, the content of your CV and cover letter, and our notes from any interviews. We keep your application for 1 year after the position is filled, then delete it.

7. Security Monitoring of Our Systems

We collect, retain, and analyse logs from our information systems to detect, investigate, and respond to security incidents. We keep security and audit logs for 3 years, and security-incident case files for 10 years after closure (claims defence). Logs related to a reported incident may be kept longer if needed for the investigation or for legal proceedings.

8. Recipients, Sub-Processors, and Sales of Data

We do not sell your data, and we do notshare it with any third party for that third party's own commercial purposes. The categories of processors we use include: hosting and content-delivery providers; an email and collaboration platform; a live-chat platform; a payment-processing provider; an accounting and bookkeeping service; an analytics partner; identity and access-management providers.

Sub-processor assurance. All sub-processors we use are validated for compliance with applicable data-protection law before they are onboarded, and their compliance is reviewed on an ongoing basis.

9. Anonymised Threat Intelligence

We retain irreversibly anonymised threat indicators — attack patterns, indicators of compromise, rule-effectiveness metrics, and geographic aggregates — derived from both our own website and from customer deployments. This data does not identify any data subject and is used to improve detection rules, build attack-pattern models, and produce aggregated threat intelligence across all TrustSig deployments. The anonymised data is retained for up to 10 years.

10. International Transfers

Some of our processors are located outside the European Economic Area (EEA). Where technically and operationally possible, we configure our processors so that personal data resides within the European Union or the European Economic Area. Where personal data is transferred outside the EEA, we rely on one of the following safeguards:

• a European Commission adequacy decision for the destination country (including, where relevant, the EU–U.S. Data Privacy Framework);
• European Commission–approved Standard Contractual Clauses, with appropriate supplementary measures where required; or
• other appropriate safeguards approved under applicable law.

11. Where Your Data Comes From

For most of the processing described above, we collect your data directly from you — when you visit our website, submit a form, contact us, sign up as a customer, or apply for a position.

12. Automated Decision-Making and Profiling

The only systematic automated decision-making we carry out is the threat-protection allow/challenge/block decision described in Sections 2 and 3.1. The logic, the categories of input data, the possible outcomes, the consequences, and the human-review route are all set out there. Beyond that, we may use limited engagement-based segmentationin connection with customer communications (for example to understand which of our product-update emails are most useful to a particular customer's authorised representatives). Such segmentation does not produce legal or similarly significant effects.

13. Special Categories of Data and Children

13.1 Special categories

We do not knowingly process special categories of personal data as part of the processing described in this notice. If we receive such data inadvertently, we will delete it as soon as we identify it, unless we have a specific lawful basis for retaining it.

13.2 Children

TrustSig is a business-to-business threat-protection product and is not directed at children. We do not knowingly collect personal data from children under the age of 18. If we become aware that we have collected personal data from a child without verified parental consent, we will delete it.

14. Your Rights

You have the following rights regarding your personal data:

• Right of access — obtain a copy of your data.
• Right to rectification — have inaccurate data corrected.
• Right to erasure — request deletion of your data where a ground applies.
• Right to restriction — ask us to limit how we use your data.
• Right to object — object to processing based on legitimate interests; we will assess each objection individually.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to withdraw consent — withdraw any consent at any time (without affecting prior processing).
• Rights regarding automated decisions — see Sections 2, 3.1, and 12.

To exercise your rights, contact us at legal@trustsig.eu. We respond to rights requests within one month of receipt, extendable by a further two months for complex requests, with notice to you within the initial one-month period.

You also have the right to lodge a complaint with a supervisory authority. In Estonia, the competent supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon — AKI), https://www.aki.ee. In other EU/EEA countries, contact your national data protection authority.

15. Changes to This Notice

We may update this Privacy Notice from time to time. The "Last revised" date at the top of this page indicates when the notice was last changed. For material changes — for example new processing purposes or new categories of sub-processors that materially affect your rights — we will provide a more visible notice on the website.